GRE Configuration and Interoperability Guide

GRE Configuration and
Interoperability Guide
Copyright
This document is protected by the United States copyright laws, and is proprietary to Zscaler Inc.
Copying, reproducing, integrating, translating, modifying, enhancing, recording by any information
storage or retrieval system or any other use of this document, in whole or in part, by anyone other
than the authorized employees, customers, users or partners (licensees) of Zscaler, Inc. without the
prior written permission from Zscaler, Inc. is prohibited.
Copyright© 2014 Zscaler
Trademark Statements
Zscaler and NanoLog are trademarks or registered trademarks of Zscaler, Inc.
All other trademarked names used herein are the properties of their respective owners, and are used
for identification purposes only.
GRE Configuration and Interoperability Guide, Rev. C
GRE Guide, Rev. C Copyright © 2014 Zscaler -2-

Contents
Contents .................................................................................................................. 4
GRE Configuration and Interoperability Guide ................................................... 5
About GRE Tunnels................................................................................................. 6
Deployment Scenarios ..................................................................................................7
Configuring a GRE Tunnel ...................................................................................... 9
Configuration Tasks .................................................................................................... 10
Step 1: Provision GRE Tunnels .................................................................................. 11
Step 2: Add a Gateway Location................................................................................ 12
Step 3: Configure the Router/Firewall ...................................................................... 13
Configuration Example: Cisco 881 ........................................................................ 13
Configure the Cisco 881 Router ......................................................................... 14
Troubleshooting the Cisco 881 Router Configuration .................................... 18
Configuration Example: Juniper SRX .................................................................... 22
Configure the Juniper SRX220 Router ............................................................... 23
Troubleshooting .................................................................................................. 30
Complete Sample Configurations ......................................................................... 35
Complete Sample Configuration for the Cisco 881 ........................................ 35
Sample Configuration for the Juniper SRX220................................................. 41

GRE Configuration and Interoperability Guide
A GRE (Generic Routing Encapsulation) tunnel is ideal for forwarding HTTP and HTTPS traffic from
your corporate network to the Zscaler service. Use this guide to learn how to configure GRE tunnels
to forward traffic to the Zscaler service.
Learn about...
GRE Tunnels
Additionally, to learn about other supported traffic forwarding mechanisms, see Forwarding Traffic to
the Zscaler Service.

About GRE Tunnels
GRE (Generic Routing Encapsulation) is a tunneling protocol for encapsulating packets inside a
transport protocol. A GRE capable router or firewall encapsulates a payload packet inside a GRE
packet, which it then encapsulates in a transport protocol, such as IP, as shown in the following
figure.
A GRE tunnel functions like a VPN but without the encryption; it transports packets from one
endpoint through the public network to another endpoint.
GRE tunnels typically use keepalive packets to determine if a tunnel is up. The GRE tunnel source
creates a keepalive request packet and a keepalive response packet that it encapsulates and sends to
the tunnel destination together with the response packet. When the tunnel destination receives the
request packet, it just decapsulates the original packet and forwards the inner response packet back
to the originating peer. For more information about GRE, refer to RFC 2784, Generic Routing
Encapsulation (GRE).
If your corporate firewall or router supports GRE and its egress port has a static IP address, Zscaler
recommends that you configure a GRE tunnel to forward HTTP and HTTPS traffic from your corporate
network to the Zscaler service. It provides the following benefits:
 Supports both HTTP and HTTPS traffic.
 Supports failover in case the primary ZEN becomes unavailable.
 Requires minimal overhead
 No configuration on computers or laptops.
 Users on your corporate network cannot bypass the service.
 Tunneling can provide internal IP address information to Zscaler for use in policy design and
logging
You can also configure PAC files to forward the traffic of users who go on the road and off the
corporate network. See Using PAC Files.
Learn about...
Deployment Scenarios

Deployment Scenarios
The following are common GRE tunnel deployments:
GRE tunnels from the internal router to the ZENs.

Zscaler recommends that you configure two GRE tunnels from an internal router behind the firewall
to the ZENs; a primary tunnel from the router to a ZEN in one data center, and a secondary tunnel
from the router to a ZEN in another data center. This type of deployment provides visibility into the
internal IP addresses, which can be used for the Zscaler security policies and logging.
In this deployment, the GRE tunnel source IP address is a public IP address that is configured on the
loopback interface of the router. On the firewall, you'll need to define a rule that allows GRE traffic
from the router. Additionally, if your organization has redundant routers and/or ISPs, as shown in the
diagram below, you can configure the routers so failover to a redundant ISP is automatic.

GRE tunnels from the corporate firewall to the ZENs.
If your corporate firewall supports GRE, your organization can also configure two GRE tunnels from
the firewall to the ZENs; a primary tunnel from the firewall to a ZEN in one data center, and a
secondary tunnel from the firewall to a ZEN in another data center. On the firewall, you define one
rule to send HTTP and HTTPS traffic through the GRE tunnel to the ZENs. Like the first deployment
scenario, this type of deployment provides visibility into the internal IP addresses, which can be used
for the Zscaler security policies and logging. The firewall applies NAT on all the other traffic which it
sends directly to the Internet.
GRE tunnels from the border router to the ZENs.

If the first two deployments are not feasible, then you can configure a GRE tunnel from your border
router to the ZENs. This is the least preferred method because the internal IP addresses are not
visible. In this type of deployment, you will need to configure the border router to send HTTP and
HTTPS traffic to the ZEN and all other traffic to the Internet.
Learn about...
Configuring a GRE Tunnel

Configuring a GRE Tunnel
Note the following guidelines when configuring a GRE tunnel to the Zscaler service:
 Zscaler recommends configuring two separate GRE tunnels to two ZENs that are each located in
a different data center for high availability. If the primary GRE tunnel or an intermediate
connection goes down, all traffic is then rerouted through the backup GRE tunnel to the
secondary ZEN.
Ensure that if the primary tunnel goes down, that the router detects it and changes the routing
table or routing instance so that the secondary tunnel is used for traffic forwarding and vice
versa.
 Use the GRE tunnel to forward only HTTP and HTTPS traffic to the service. Send all other traffic
directly to the Internet.
If supported, use policy based-routing (PBR) to ensure that only HTTP and HTTPS traffic is sent
through the GRE tunnel. PBR is a mechanism that enables a router or firewall to determine
where to forward packets based on configured policies. When you configure a GRE tunnel, you
can use PBR to ensure that only HTTP and HTTPS traffic is sent thru the tunnel. A policy typically
includes a match criteria and the action that the router or firewall takes on the traffic. Match
criteria can include the source and destination IP addresses and ports, and the protocol, such as
HTTP or HTTPS. The action specifies the next hop of the packets. When a packet arrives at a
router or firewall with PBR enabled, it determines if the packet matches a configured policy and
then routes it accordingly. PBR enables packets to take different paths based on the match
criteria.
 If supported, enable GRE keepalives on the primary and secondary tunnels.

When you configure a GRE tunnel to the service, enable GRE keepalives so the traffic can switch
from the primary to the secondary tunnel in the event of a failure. Additionally, ensure that the
settings are neither too aggressive nor too slow in detecting when the tunnel is down.
If your router or firewall does not support GRE keepalives, you can configure ICMP probes
instead.
 For Cisco routers, you can use IP SLAs to monitor the tunnels. You can set a threshold so the
traffic can switch from the primary to the secondary tunnel when the threshold is exceeded. For
Juniper routers, you can use RPM (real-time performance monitoring) to monitor the VPNs.
 Network Address Translation (NAT)
Most firewalls and routers apply the policy based route to redirect traffic to the tunnel before
they apply NAT to the traffic. Therefore, the internal client IP addresses of traffic routed through
the tunnel are preserved. If your firewall or router performs NAT before it sends traffic through
the tunnel, consider disabling NAT to allow the Zscaler service to see internal IP addresses. This
enables the service to use the internal IP addresses for logging and reporting. Additionally, you
can configure sub-locations to identify internal networks whose outbound traffic is encapsulated
in the GRE tunnel. When using sub-locations, the service can retrieve the IP addresses of the
internal networks and apply custom policies to the traffic of the internal networks. For more
information about sub-locations, refer to the Web and Mobile Security Administrator's Guide.
 If your firewall has an ACL blocking inbound connections, configure a rule to allow GRE traffic
(protocol 47).

Configuration Tasks
To configure GRE tunnels from your corporate network to the Zscaler service:
1. Contact your Zscaler representative or Customer Support to have a GRE tunnel provisioned for
your account. You will need the public IP address of your local gateway. See Step 1: Provision GRE
Tunnels.
2. Log in to the service portal and add your gateway location. See Step 2: Add a Gateway Location.
3. Configure your router or firewall to allow the GRE tunnel. Please refer to the documentation of
your router or firewall for configuration instructions. For configuration examples, see Step 3:
Configure the Router/Firewall .
Learn about...
Step 1: Provision GRE Tunnels
GRE Guide, Rev. C Copyright © 2014 Zscaler - 10 -

Step 1: Provision GRE Tunnels
Contact Zscaler Customer Support and provide the following information so Zscaler can provision the
GRE tunnels:
 Public IP address of the tunnel source
 The physical location of your router or firewall.
Zscaler then assigns VIPs (virtual IP addresses) for use as the source and destination addresses inside
the tunnel. Zscaler assigns these addresses from a pool of non-routable address space
that Zscaler manages to ensure that no two customers attempt to use the same IP addresses. The
following is an example of what Zscaler sends to an organization that wants to configure GRE tunnels:
1
Tunnel Source IP : 192.0.2.2
2
Internal Range : 172.18.58.120 - 172.18.58.127
3
Primary Destination : 216.66.5.49
4
Internal Router IP : 172.18.58.121/30
5
Internal ZEN IP : 172.18.58.122/30
6
Secondary Destination : 199.168.149.79
7
Internal Router IP : 172.18.58.125/30
8
Internal ZEN IP : 172.18.58.126/30
When Zscaler assigns the VIPs, the Zscaler service binds the source and destination addresses to the
specified primary and secondary ZENs. The ZENs will be listening specifically for traffic from the
source VIP and addressed to its destination VIP. When your GRE tunnel sends traffic to the Zscaler
service, the ZEN associates the virtual source and destination addresses with your organization.
Learn about...
Step 2: Add a Gateway Location
1
The IP address of the tunnel source. This is provided by the customer.
2
The IP address range that Zscaler assigned to the organization.
3
The IP address of the ZEN that is the primary tunnel destination. Zscaler has ZENs
worldwide and selects the most appropriate ZENs as destinations for your tunnels.
4
The VIP of the tunnel source.
5
The VIP of the tunnel destination.
6
The IP address of the ZEN that is the secondary tunnel destination. Zscaler has ZENs
worldwide and selects the most appropriate ZENs as destinations for your tunnels.
7
The VIP of the tunnel source.
8
The VIP of the tunnel destination.

Step 2: Add a Gateway Location
After your IP addresses have been provisioned on the Zscaler service, log in to the service and define
your organization’s gateway location as follows:
1. Go to Administration > Resources > Locations. See screen.
2. Click Add.
3. Enter general information about the location:
 Type in its Name
 Choose the Country.
 Enter a State/Province, if applicable.
 Choose the Time Zone of the location.
When you specify the location in a policy, the service applies the policy according to the
location's time zone. For example, if a Cloud App Control policy blocks posting to Facebook
between 8 a.m. and 5 p.m., and the rule is applied to locations in Spain and California, users at
each location will be blocked during their respective daytime hours.
4. Choose the IP addresses for the location:
 The Public IP Addresses list displays the IP addresses that you sent to Zscaler when it
provisioned your organization. Choose IP addresses for the location.
 Optionally, enable the other features on this page. For more information about these features,
refer to the Web and Mobile Security Administrator's Guide.
5. Click Save and Activate.
Learn about...
Step 3: Configure the Router/Firewall

Step 3: Configure the Router/Firewall
Configure your router or firewall to allow the GRE tunnel. Please refer to the documentation of your
router or firewall for configuration instructions. Click any of the following to view the configuration
example:
 Configuration Example: Cisco 881
 Configuration Example: Juniper SRX
Configuration Example: Cisco 881

This example illustrates how to configure a GRE tunnel between a Cisco 881 and ZENs in the Zscaler
service. As shown in the figure, two GRE tunnels are configured between the gateway WAN port, fa4,
which has a static public IP address, 192.0.2.2, and two ZENs in two different data centers
(216.66.5.49 and 199.168.149.179).
Zscaler has assigned the following IP addresses for the GRE tunnels:
Tunnel Source IP: 192.0.2.2

Internal Range: 172.18.58.120 - 172.18.58.127
Primary Destination: 216.66.5.49

Internal Router IP: 172.18.58.121/30
Internal ZEN IP: 1172.18.58.122/30
Secondary Destination: 199.168.149.179

Internal ZEN IP: 172.18.58.126/30
The router receives ingress traffic on ports fa0, fa1, fa2 and fa3. They forward HTTP and HTTPS traffic
to the WAN gateway port, fa4, which uses the GRE tunnel interfaces tunnel 2700 and tunnel 2800 to
send the HTTP and HTTPS traffic through the GRE tunnel to the Zscaler service. The router performs
NAT on the other traffic that it sends directly to the Internet.

The following steps describe how to configure a GRE tunnel from the Cisco 881 router to the ZENs as
depicted in the illustration:
1. Add a gateway location to the Zscaler service.
2. Configure the router.
Configure the Cisco 881 Router

This section provides the steps and commands that were used to configure a tunnel from a a Cisco
881 router running iOS version 15.1 to ZENs in different data centers. Refer to the Cisco
documentation for information about the commands.
The sample configuration shows how to configure the following on two tunnel interfaces (tunnel 2700
and tunnel 2800) on the gateway WAN port FastEthernet4 (fa4). (Note that the tunnel names are
arbitrary and you can use different tunnel names in your configuration.):
 tunnel 2700 with an IP address of 172.18.58.121 and its destination address is 216.66.5.49
 tunnel 2800 with an IP address of 172.18.58.125 and its destination address is 199.168.149.179
 Set the max segment size (mss) to an appropriate value, depending on your network. In this
example, the MSS value is set to 1300.
 NAT is not configured on the interface so the Zscaler service can log internal IP addresses and
you can configure sub-locations.
Sample Configuration
interface Tunnel2700
ip address 172.18.58.121 255.255.255.252
ip virtual-reassembly
ip tcp adjust-mss 1300
tunnel source FastEthernet4
tunnel destination 216.66.5.49
end

ip address 172.18.58.125 255.255.255.252
end
In Cisco iOS routers, policy-based routing is implemented using route maps. The following sample
configuration creates an access list that specifies the outbound traffic and defines the route map that
sends that traffic over Tunnel 2700 first, then Tunnel 2800:
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq 443
route-map zscaler-tunnel permit 10

match ip address 101
set interface Tunnel2700 Tunnel2800
Note that you can exclude traffic from specific sources from being redirected to the GRE tunnel. The
following example excludes traffic from a host (192.168.1.1) from being redirected to the tunnel:
access-list 101 deny ip any host 192.168.1.1
In this example, we assume that the ingress traffic is received by the router on port fa-0 to fa-3 in
VLAN 2. The IP addresses on these ports are assigned by DHCP and their HTTP and HTTPS traffic is
forwarded to the GRE tunnels 2700 and 2800. NAT is performed on the remaining traffic.
interface FastEthernet0
switchport access vlan 2
!
!

!
!
description $ES_WAN$
ip address dhcp client-id FastEthernet4 hostname 10.35.3.41
ip access-group 80 in
ip access-group 80 out
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
no ip address
!
interface Vlan2
ip address 10.65.199.129 255.255.255.128
ip nat inside
ip policy route-map zscaler-tunnel
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list NAT interface FastEthernet4 overload

ip route 0.0.0.0 0.0.0.0 10.96.13.254
!
ip access-list extended NAT
permit ip 10.65.199.0 0.0.0.255 any
deny ip any any
!
logging esm config

access-list 23 permit 10.10.10.0 0.0.0.7
access-list 80 permit any
access-list 100 permit ip any any
access-list 180 permit ip 10.0.0.0 0.255.255.255 any
no cdp run
!
Enable IP SLAs to monitor the tunnels. You can set a threshold for HTTP page load times so traffic can
switch from the primary to the secondary tunnel when the threshold is exceeded. Zscaler
recommends that you use the ZEN IP address as the IP address that is used for monitoring, to ensure
that the IP address is reachable and routable through the tunnel. For example, you can specify the
Cloud Performance Monitor Test page of the ZEN at which the GRE tunnel terminates (zen_ip-
address/test, as shown in the sample configuration.
ip sla 1
http raw http://172.17.160.174
timeout 300
threshold 300
http-raw-request
GET http://216.66.5.49/test/ HTTP/1.0\r\n
User-Agent: Cisco IP SLA\r\n
end\r\n
\r\n

\r\n
\r\n
exit
ip sla reaction-configuration 1 react rtt threshold-value 300 1 threshold-
type consecutive 3
ip sla schedule 1 life forever start-time now
ip sla 2
http raw http://172.17.160.174
timeout 300
threshold 300
http-raw-request
end\r\n
\r\n
\r\n
\r\n
exit
type consecutive 3
access-list 100 permit tcp 192.168.1.0 0.0.0.255 any eq telnet
access-list 100 deny ip any any
!
Troubleshooting the Cisco 881 Router Configuration

Following are some sample commands that you can use to monitor and troubleshoot the GRE tunnel.
Ping the Zscaler internal tunnel IP address to validate the tunnel is up and routing is correct
ping 172.18.58.122
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.18.58.122, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
ping 172.18.58.126
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.18.58.126, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

Ensure that the tunnel interface and protocol are up using show int tunnel command as shown
below:
show int tun 2800
Tunnel2800 is up, line protocol is up
Hardware is Tunnel
Internet address is 172.18.58.125/30
MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive set (5 sec), retries 3
Tunnel source 192.0.2.2 (FastEthernet4), destination 199.168.149.179
Tunnel Subblocks:
src-track:
Tunnel2800 source tracking subblock associated with FastEthernet4
Set of tunnels with source FastEthernet4, 19 members (includes
iterators), on interface <OK>
Tunnel protocol/transport GRE/IP
Key disabled, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255, Fast tunneling enabled
Tunnel transport MTU 1476 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Last input never, output 00:00:02, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 1
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
5450 packets input, 3690507 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
588861 packets output, 29175729 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out

View the track status.
VPN-test#show track
Track 400
IP SLA 400 reachability
Reachability is Down
3 changes, last change 00:16:23
Latest operation return code: Timeout
Track 500
IP SLA 500 reachability
Reachability is Up
2 changes, last change 01:01:27
Latest operation return code: OK
Latest RTT (millisecs) 1
View the SLA statistics.

VPN-test#show ip sla statistics
IPSLAs Latest Operation Statistics
IPSLA operation id: 2

Number of successes: Unknown
Number of failures: Unknown
Operation time to live: 0

Latest RTT: NoConnection/Busy/Timeout
Latest operation start time: *02:29:07.511 UTC Sat May 19 2012
Latest operation return code: Timeout
Number of successes: 0
Number of failures: 2
Operation time to live: Forever

Latest RTT: 1 milliseconds
Latest operation start time: *02:29:10.719 UTC Sat May 19 2012
Latest operation return code: OK
Number of successes: 2

Number of failures: 0
Operation time to live: Forever
Ensure that the router applies the route-map to the appropriate traffic:
show route-map zscaler-tunnel
route-map zscaler-tunnel, permit, sequence 10
Match clauses:
ip address (access-lists): 101
Set clauses:
interface Tunnel700 Tunnel1500
Policy routing matches: 76258 packets, 17131024 bytes

Configuration Example: Juniper SRX
This example illustrates how to configure a GRE tunnel between a Juniper SRX220 running iOS version
11.4 and ZENs in the Zscaler service. As shown in the figure, primary and secondary GRE tunnels are
configured from the gateway port of the Juniper SRX to two ZENS in the Zscaler service. The public IP
address of the gateway port, ge-0/0/0 on the router is 192.0.2.2.
Zscaler has assigned the following IP addresses for the GRE tunnels:
Tunnel Source IP: 192.0.2.2

Internal Range: 172.18.58.120 - 172.18.58.127
Primary Destination: 216.66.5.49

Internal ZEN IP: 172.18.58.122/30
Secondary Destination: 199.168.149.179

Internal ZEN IP: 172.18.58.126/30
The router receives ingress traffic on port ge-0/0/4. It forwards outbound traffic to ge-0-0-0 in the
Untrust Zone, which uses the two sub interfaces unit0 and unit1 to send HTTP and HTTPS traffic
through the GRE tunnel to the Zscaler service. It performs NAT on the non-Web traffic that it sends
directly to the Internet.
To configure the Juniper SRX220:

1. Add a gateway location to the Zscaler service.
2. Configure the Juniper SRX220.

Configure the Juniper SRX220 Router
This section provides the sample configuration for configuring GRE tunnel interfaces on a Juniper
SRX220 router running iOS version 11.4. Refer to the Juniper documentation for information about
the commands.
Note that the Juniper SRX220 does not support GRE keepalives. So ICMP probes are used for
monitoring instead.
Configure the following sub- interfaces on ge-0/0/0 (192.0.2.2):
 ge-0/0/0 unit0
 Secondary tunnel interface
 Its IP address is 172.18.58.125, and its destination address is 199.168.149.179
 ge-0/0/0 unit1
 Primary tunnel interface
 Its IP address is 172.18.58.121, and its destination address is 216.66.5.49
root# run show configuration interfaces
..
..
ge-0/0/0 {
unit 0 {
family inet {
dhcp;
}
}
}
gr-0/0/0 {
unit 0 {
description backup-tunnel;
tunnel {
source 192.0.2.2;
destination 199.168.149.179;
}
family inet {
mtu 1500;
address 172.18.58.125/30;
}
}
unit 1 {

description primary-tunnel;
tunnel {
source 192.0.2.2;
destination 216.66.5.49;
}
family inet {
mtu 1500;
address 172.18.58.121/30;
}
}
Create a routing instance for the GRE tunnel. It will be used to redirect the HTTPS and HTTPS traffic to
the GRE tunnel. It will also be used for probing, if the probes do not use the source address. Ensure
that the route for the secondary tunnel, which is through gr-0/0/0.0, has a higher preference number
so that it will be given less preference in routing with respect to the primary route, which is through
gr-0/0/0.1.
root# run show configuration routing-instances
traffic_tunnel {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 {
qualified-next-hop gr-0/0/0.0 {
preference 200;
}
qualified-next-hop gr-0/0/0.1;
}
}
}
}
Ensure that the inet.0 routes are also added into the routing table of the GRE tunnel routing instance.
Sample Commands
root# run show configuration routing-options
interface-routes {
rib-group inet global-rib;
}
rib-groups {

global-rib {
import-rib [ inet.0 traffic_tunnel.inet.0 ];
}
}
At this point, the GRE tunnel has been created and the routes have been inserted. Create two ICMP-
based probes to monitor the GRE end points on the Zscaler service (172.18.58.122 and
172.18.58.126).
Sample Commands
root# run show configuration services rpm
probe icmp_gre {
test icmp {
probe-type icmp-ping;
target address 172.18.58.122;
probe-count 5;
probe-interval 5;
test-interval 10;
source-address 172.18.58.121;
thresholds {
successive-loss 5;
total-loss 5;
}
}
}
probe icmp_gre_backup {
test icmp_backup {
probe-count 5;
probe-interval 5;
test-interval 10;
thresholds {
successive-loss 5;
total-loss 5;
}
}
}

Enable IP monitoring for the probe, so if the probe to the primary interface at 172.18.58.122 fails,
then the other route (gr-0/0/0.0) is inserted in the GRE routing instance, ensuring that traffic is moved
from the primary to the secondary tunnel.
Sample Commands
root# run show configuration services ip-monitoring
policy failover {
match {
rpm-probe icmp_gre;
}
then {
preferred-route {
routing-instances traffic_tunnel {
route 0.0.0.0/0 {
next-hop 172.18.58.126;
}
}
}
}
}
policy failover_backup {
match {
rpm-probe icmp_gre_backup;
}
then {
preferred-route {
route 0.0.0.0/0 {
next-hop 172.18.58.122;
}
}
}
}
}
Use policy-options to configure a routing policy that specifies that HTTP and HTTPS traffic from the
internal network (192.168.0.0/16) will be sent through the GRE tunnel and all other traffic will use the
inet.0 routing instance.
Sample Commands
root# run show configuration policy-options
prefix-list zscalernoredirect {

13.13.13.0/24;
}
prefix-list zscalerredirect {
192.168.0.0/16;
}
[edit]
root# run show configuration firewall
filter zscalerredirect {
term zscalernoredirect {
from {
destination-prefix-list {
zscalernoredirect;
}
}
then accept;
}
term zscalerredirect {
from {
source-prefix-list {
zscalerredirect;
}
destination-port [ http https ];
}
then {
routing-instance traffic_tunnel;
}
}
term allow-everything-else {
from {
destination-port 0-65535;
}
then accept;
}
}
Ensure that the policy is applied on the interface that receives the ingress traffic that is to be sent
through the GRE tunnel. Note that this command will not work for the Ethernet-switching family, but
will work for inet family.

ge-0/0/4 {
unit 0 {
family inet {
filter {
input zscalerredirect;
}
address 192.168.1.101/24;
}
}
}
Ensure that all the security zones are created, and that they have the security policies that allow the
specified traffic from the Trust to the Untrust zone and vice versa.
root# run show configuration security zones
security-zone trust {
address-book {
address local-net 192.168.0.0/16;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.0;
ge-0/0/4.0;
}
}
security-zone untrust {
screen untrust-screen;
system-services {
all;

}
}
interfaces {
ge-0/0/0.0 {
system-services {
dhcp;
tftp;
all;
}
}
}
gr-0/0/0.0;
gr-0/0/0.1;
}
}
Configure security policies that allow the specified traffic from the Trust to the Untrust zone and vice
versa.
Sample Configruation
Here are the security policies:
root# run show configuration security policies
from-zone untrust to-zone trust {
policy untrust-to-trust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone untrust {
policy any-permit {
match {
source-address any;

application any;
}
then {
permit;
}
}
}
Troubleshooting
This section provides some sample commands that you can use to monitor and troubleshoot the GRE
tunnel.
Ensure that you can ping the GRE endpoints on the Zscaler service:
root# run ping 172.18.58.126 source 172.18.58.125

PING 172.18.58.126 (172.18.58.126): 56 data bytes
64 bytes from 172.18.58.126: icmp_seq=0 ttl=64 time=8.029 ms
^C
--- 172.18.58.126 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 2.107/5.068/8.029/2.961 ms
[edit]
root# run ping 172.18.58.122 source 172.18.58.121
PING 172.18.58.122 (172.18.58.122): 56 data bytes
^C
--- 172.18.58.122 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 2.257/2.339/2.423/0.068 ms
Ensure that ip-monitoring is working:

root# run show services ip-monitoring status
Policy - failover (Status: PASS)

RPM Probes:
Probe name Test Name Address Status
---------------------- --------------- ---------------- ---------
icmp_gre icmp 172.18.58.122 PASS
Route-Action:
route-instance route next-hop state
----------------- ----------------- ---------------- -------------
traffic_tunnel 0.0.0.0/0 172.18.58.126 NOT-APPLIED
Policy - failover_backup (Status: PASS)

RPM Probes:
Probe name Test Name Address Status
---------------------- --------------- ---------------- ---------
icmp_gre_backup icmp_backup 172.18.58.126 PASS
Route-Action:
route-instance route next-hop state
----------------- ----------------- ---------------- -------------
traffic_tunnel 0.0.0.0/0 172.18.58.122 NOT-APPLIED
[edit]
Check the routing table and the Zscaler GRE routing instance. In the following commands,
traffic_tunnel.inet.0 is used for GRE traffic routing. It is pointing to gr-0/0/0.1 as the primary route and
to gr-0/0/0.0 as the secondary route.
root# run show route
inet.0: 11 destinations, 11 routes (11 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Access-internal/12] 05:34:30

> to 10.96.13.254 via ge-0/0/0.0
10.32.32.0/24 *[Static/5] 05:34:30
> to 10.96.13.254 via ge-0/0/0.0
10.96.13.0/24 *[Direct/0] 05:34:30
> via ge-0/0/0.0
192.0.2.2/32 *[Local/0] 05:34:30
Local via ge-0/0/0.0

98.139.183.0/24 *[Static/5] 02:23:05
> via gr-0/0/0.1
172.18.58.144/30 *[Direct/0] 01:28:06
> via gr-0/0/0.1
172.18.58.121/32 *[Local/0] 01:28:06
Local via gr-0/0/0.1
172.18.58.148/30 *[Direct/0] 01:28:06
> via gr-0/0/0.0
172.18.58.125/32 *[Local/0] 01:28:06
192.168.1.1/32 *[Local/0] 05:34:51
Reject
192.168.1.101/32 *[Local/0] 01:58:54
Reject
traffic_tunnel.inet.0: 9 destinations, 10 routes (9 active, 0 holddown, 0

hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 02:23:05

> via gr-0/0/0.1
[Static/200] 05:34:41
> via gr-0/0/0.0
10.96.13.0/24 *[Direct/0] 05:34:30
> via ge-0/0/0.0
192.0.2.2/32 *[Local/0] 05:34:30
Local via ge-0/0/0.0
172.18.58.144/30 *[Direct/0] 01:28:06
> via gr-0/0/0.1
172.18.58.121/32 *[Local/0] 01:28:06
172.18.58.148/30 *[Direct/0] 01:28:06
> via gr-0/0/0.0
172.18.58.125/32 *[Local/0] 01:28:06
192.168.1.1/32 *[Local/0] 02:09:21
Reject
192.168.1.101/32 *[Local/0] 01:09:26

Reject
Check the probe status:

root# run show services rpm probe-results
Owner: icmp_gre, Test: icmp

Target address: 172.18.58.122, Source address: 172.18.58.121,
Probe type: icmp-ping, Test size: 5 probes
Probe results:
Response received, Thu May 16 10:35:10 2013, No hardware timestamps
Rtt: 7440 usec
Results over current test:
Probes sent: 3, Probes received: 3, Loss percentage: 0
Measurement: Round trip time
Samples: 3, Minimum: 2041 usec, Maximum: 7440 usec, Average: 3874
usec,
Peak to peak: 5399 usec, Stddev: 2522 usec, Sum: 11622 usec
Results over last test:
Test completed on Thu May 16 10:34:50 2013
Samples: 5, Minimum: 2102 usec, Maximum: 55952 usec,
Average: 13946 usec, Peak to peak: 53850 usec, Stddev: 21101 usec,
Sum: 69732 usec
Results over all tests:
Sum: 7771578 usec
Owner: icmp_gre_backup, Test: icmp_backup

Target address: 172.18.58.126, Source address: 172.18.58.125,
Probe type: icmp-ping, Test size: 5 probes
Probe results:
Response received, Thu May 16 10:35:10 2013, No hardware timestamps
Rtt: 2353 usec
Results over current test:

usec,
Results over last test:
Test completed on Thu May 16 10:34:45 2013
usec,
Results over all tests:
Sum: 5146145 usec
[edit]

Complete Sample Configurations
Click the following to view the complete configurations:
 Cisco 881 Router
 Juniper SRX Router
Complete Sample Configuration for the Cisco 881

Following is the complete set of commands that were used to configure the Cisco 881 router:
show run
Building configuration...
Current configuration : 16136 bytes

!
! Last configuration change at 14:48:00 UTC Tue Jul 16 2013 by admin
!
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname VPN-test
!
boot-start-marker
boot-end-marker
!
!
logging buffered 8096
no logging console
!
no aaa new-model
memory-size iomem 10
crypto pki token default removal timeout 0
!
crypto pki trustpoint tti
revocation-check crl
!

crypto pki trustpoint TP-self-signed-2721864363
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2721864363
revocation-check none
!
!
crypto pki certificate chain tti
crypto pki certificate chain TP-self-signed-2721864363
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32373231 38363433 3633301E 170D3133 30363132 31383239
32395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 37323138
36343336 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B562 8F07F3C9 27A51798 A200FB7B 8831144D 079464DF E5CE2E69 7031F3A7
DFBF74A0 BB20E910 057F95DC 5384059C 2FDAB310 AFA9CA61 B745CA98 C987A664
E0FF66C0 11D0C069 F8BDE9C5 25291420 68A5316E 1B2153B7 2541C1EB 526F227B
B8E2F74B FAE66C82 B7F8347C 108DE12B 6824C1B2 7FF930A3 4A8650C8 0C5A99D2
277B0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 1423C3EE 7927E46A FA1516B0 CDA87259 032CF389 7E301D06
03551D0E 04160414 23C3EE79 27E46AFA 1516B0CD A8725903 2CF3897E 300D0609
2A864886 F70D0101 04050003 818100AA F193C465 B04E1028 7B4F96FF B598D81B
CB8069D9 122E1974 7641B540 708068FB 869DCD34 4B9334DF C0AC2CDD D4C7C37D
F673374D C2454733 9364D0DB 631A73D6 A11005FB 475734F5 7130B6F2 9044D650
0278F955 78E27E0A 17839985 2207DAFA 188CA745 F772ACA7 2E6294D2 27426102
D79960C9 666D9DBC B942908C 87E9FF
quit
ip source-route
!
!
!
ip dhcp excluded-address 10.65.199.129
!
ip dhcp pool ccp-pool
import all
network 10.65.199.128 255.255.255.128

default-router 10.65.199.129
dns-server 10.32.112.10
lease 0 2
!
!
ip cef
ip domain name yourdomain.com
ip name-server 10.10.104.23
no ipv6 cef
!
!
parameter-map type inspect test
parameter-map type consent test
!
license udi pid CISCO881-K9 sn FCZ1510C25F
!
!
username root privilege 15 secret 5 $1$tNw1$LDdmzCh/UNWcL.odwKkyD1
username admin privilege 15 secret 5 $1$lXn2$gxtDItkOXiDydXTA0Netu.
username adminr privilege 15 secret 5 $1$ZnCs$B/0DfujHTS6.Kr/uIIYbq.
!
!
!
!
!
track 400 ip sla 400 reachability
!
track 500 ip sla 500 reachability
!
!
!
!
!
!
!

ip address 172.18.58.121 255.255.255.252
!
ip address 172.18.58.125 255.255.255.252
!
!
!
!
!
description $ES_WAN$
ip address dhcp client-id FastEthernet4 hostname 10.35.3.41
ip nat outside
duplex auto
speed auto
!
interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
no ip address
!
interface Vlan2
ip address 10.65.199.129 255.255.255.128
ip nat inside
ip policy route-map zscaler-tunnel
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list NAT interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 10.96.13.254
!
ip access-list extended NAT
permit ip 10.65.199.0 0.0.0.255 any
deny ip any any
!ip sla 1
http raw http://172.17.160.170:9480
timeout 300
threshold 300
http-raw-request
end\r\n
\r\n

\r\n
\r\n
exit
type consecutive 3
ip sla 2
http raw http://172.17.160.174
timeout 300
threshold 300
http-raw-request
end\r\n
\r\n
\r\n
\r\n
exit
type consecutive 3
logging esm config
access-list 80 permit any
access-list 180 permit ip 10.0.0.0 0.255.255.255 any
no cdp run

Sample Configuration for the Juniper SRX220
Following is the complete set of commands that were used to configure the Juniper SRX220:
root# run show configuration

## Last commit: 2013-05-16 09:19:34 UTC by root
version 11.4R3.7;
system {
root-authentication {
encrypted-password "$1$kR7I/O3B$ZezY.j09/sk6IWYJWcEVm."; ## SECRET-
DATA
}
name-server {
10.35.3.41;
10.35.3.42;
}
services {
ssh {
root-login allow;
}
telnet;
xnm-clear-text;
web-management {
http {
interface [ vlan.0 ge-0/0/1.0 ge-0/0/0.0 ];
}
https {
system-generated-certificate;
interface vlan.0;
}
}
dhcp {
router {
192.168.1.1;
}
pool 192.168.1.0/24 {
address-range low 192.168.1.2 high 192.168.1.254;
}

propagate-settings ge-0/0/0.0;
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
dhcp;
}
}
}
gr-0/0/0 {
unit 0 {
description backup-tunnel;
tunnel {
source 192.0.2.2;

destination 199.168.149.179;
}
family inet {
mtu 1500;
address 172.18.58.125/30;
}
}
unit 1 {
description primary-tunnel;
tunnel {
source 192.0.2.2;
destination 216.66.5.49;
}
family inet {
mtu 1500;
address 172.18.58.121/30;
}
}
}
ge-0/0/1 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/2 {
unit 0 {
vlan {
members vlan-trust;
}
}
}
}

ge-0/0/3 {
unit 0 {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/4 {
unit 0 {
family inet {
filter {
input zscalerredirect;
}
address 192.168.1.101/24;
}
}
}
ge-0/0/5 {
unit 0 {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/6 {
unit 0 {
vlan {
members vlan-trust;
}
}
}
}

ge-0/0/7 {
unit 0 {
vlan {
members vlan-trust;
}
}
}
}
st0 {
unit 0 {
family inet;
}
unit 1 {
family inet;
}
}
st1 {
unit 0 {
family inet;
}
}
vlan {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
}
}
routing-options {
interface-routes {
rib-group inet global-rib;
}
static {
route 0.0.0.0/0 next-hop [ st0.0 st0.1 ];
route 10.32.32.0/24 next-hop 10.96.13.254;

route 98.139.183.0/24 next-hop gr-0/0/0.1;
}
rib-groups {
global-rib {
import-rib [ inet.0 traffic_tunnel.inet.0 ];
}
}
}
protocols {
stp;
}
policy-options {
prefix-list zscalernoredirect {
13.13.13.0/24;
}
prefix-list zscalerredirect {
192.168.0.0/16;
}
}
security {
ike {
proposal test {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-128-cbc;
lifetime-seconds 86400;
}
policy ike-policy1 {
mode aggressive;
proposals test;
pre-shared-key ascii-text "$9$rYllMXdVYoZj"; ## SECRET-DATA
}
policy test {
mode aggressive;
proposals test;
pre-shared-key ascii-text "$9$iHfz9Cu1Eyp0"; ## SECRET-DATA

}
gateway ike-gate {
ike-policy ike-policy1;
address 10.10.104.71;
dead-peer-detection {
always-send;
interval 20;
threshold 5;
}
nat-keepalive 20;
external-interface ge-0/0/0;
}
gateway ike-gate-secondary {
ike-policy ike-policy1;
address 10.10.104.235;
dead-peer-detection {
always-send;
interval 20;
threshold 5;
}
nat-keepalive 20;
external-interface ge-0/0/0;
}
}
ipsec {
vpn-monitor-options {
interval 30;
threshold 4;
}
proposal test {
protocol esp;
authentication-algorithm hmac-sha1-96;
lifetime-seconds 1800;
}
policy vpn-policy1 {
proposal-set standard;
}

vpn ike-vpn {
bind-interface st0.0;
df-bit set;
vpn-monitor {
optimized;
source-interface ge-0/0/0;
destination-ip 216.66.5.49;
}
ike {
gateway ike-gate;
idle-time 4000;
ipsec-policy vpn-policy1;
}
establish-tunnels immediately;
}
vpn ike-vpn-secondary {
bind-interface st0.1;
df-bit set;
vpn-monitor {
optimized;
source-interface ge-0/0/0;
destination-ip 10.10.104.246;
}
ike {
gateway ike-gate-secondary;
idle-time 4000;
ipsec-policy vpn-policy1;
}
establish-tunnels immediately;
}
}
flow {
tcp-mss {
ipsec-vpn {
mss 1300;
}
}

}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set nat-out {
from zone trust;
to zone untrust;
rule interface-nat {
match {
source-address 192.168.0.0/16;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}

}
}
}
}
policies {
from-zone trust to-zone vpn {
policy vpn-tr-vpn {
match {
source-address local-net;
destination-address remote-net;
application any;
}
then {
permit;
}
}
}
from-zone vpn to-zone trust {
policy vpn-vpn-tr {
match {
source-address remote-net;
destination-address local-net;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy untrust-to-trust {
match {
source-address any;
application any;
}
then {

permit;
}
}
}
from-zone trust to-zone untrust {
policy any-permit {
match {
source-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
address-book {
address local-net 192.168.0.0/16;
}
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.0;
ge-0/0/4.0;
}
}
security-zone untrust {
screen untrust-screen;

system-services {
ike;
all;
}
}
interfaces {
ge-0/0/0.0 {
system-services {
dhcp;
tftp;
all;
}
}
}
gr-0/0/0.0;
gr-0/0/0.1;
}
}
security-zone vpn {
address-book {
address remote-net 0.0.0.0/0;
}
interfaces {
st0.0;
st0.1;
}
}
}
}
firewall {
filter zscalerredirect {
term zscalernoredirect {
from {
destination-prefix-list {
zscalernoredirect;

}
}
then accept;
}
term zscalerredirect {
from {
source-prefix-list {
zscalerredirect;
}
destination-port [ http https ];
}
then {
}
}
term allow-everything-else {
from {
destination-port 0-65535;
}
then accept;
}
}
}
routing-instances {
traffic_tunnel {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 {
qualified-next-hop gr-0/0/0.0 {
preference 200;
}
qualified-next-hop gr-0/0/0.1;
}
}
}
}

}
services {
rpm {
probe gre {
test gre-keepalive {
probe-type http-get;
target url http://216.66.5.49/test;
probe-count 3;
probe-interval 10;
test-interval 10;
thresholds {
successive-loss 3;
total-loss 6;
}
}
}
probe gre_backup {
test gre-keepalive {
target url http://98.139.183.24/;
probe-count 3;
probe-interval 10;
test-interval 10;
thresholds {
successive-loss 3;
total-loss 6;
}
}
}
probe icmp_gre {
test icmp {
probe-count 5;
probe-interval 5;

test-interval 10;
thresholds {
successive-loss 5;
total-loss 5;
}
}
}
probe icmp_gre_backup {
test icmp_backup {
probe-count 5;
probe-interval 5;
test-interval 10;
thresholds {
successive-loss 5;
total-loss 5;
}
}
}
probe trial {
test trial {
target url http://172.18.58.122/test;
probe-count 3;
probe-interval 10;
test-interval 10;
thresholds {
successive-loss 3;
total-loss 3;
}
}
}
}

ip-monitoring {
policy failover {
match {
rpm-probe icmp_gre;
}
then {
preferred-route {
route 0.0.0.0/0 {
next-hop 172.18.58.126;
}
}
}
}
}
policy failover_backup {
match {
rpm-probe icmp_gre_backup;
}
then {
preferred-route {
route 0.0.0.0/0 {
next-hop 172.18.58.122;
}
}
}
}
}
}
}
vlans {
vlan-trust {
vlan-id 3;
l3-interface vlan.0;
}
}

Following are the set commands used:
set version 11.4R3.7

set system root-authentication encrypted-password
"$1$kR7I/O3B$ZezY.j09/sk6IWYJWcEVm."
set system name-server 10.35.3.41
set system name-server 10.35.3.42
set system services ssh root-login allow
set system services telnet
set system services xnm-clear-text
set system services web-management http interface vlan.0
set system services web-management http interface ge-0/0/1.0
set system services web-management http interface ge-0/0/0.0
set system services web-management https system-generated-certificate
set system services web-management https interface vlan.0
set system services dhcp router 192.168.1.1
set system services dhcp pool 192.168.1.0/24 address-range low 192.168.1.2
set system services dhcp pool 192.168.1.0/24 address-range high
192.168.1.254
set system services dhcp propagate-settings ge-0/0/0.0
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url
https://ae1.juniper.net/junos/key_retrieval
set interfaces ge-0/0/0 unit 0 family inet dhcp
set interfaces gr-0/0/0 unit 0 description backup-tunnel
set interfaces gr-0/0/0 unit 0 tunnel source 192.0.2.2
set interfaces gr-0/0/0 unit 0 tunnel destination 199.168.149.179
set interfaces gr-0/0/0 unit 0 family inet mtu 1500
set interfaces gr-0/0/0 unit 0 family inet address 172.18.58.125/30
set interfaces gr-0/0/0 unit 1 description primary-tunnel

set interfaces gr-0/0/0 unit 1 tunnel source 192.0.2.2
set interfaces gr-0/0/0 unit 1 tunnel destination 216.66.5.49
set interfaces gr-0/0/0 unit 1 family inet mtu 1500
set interfaces gr-0/0/0 unit 1 family inet address 172.18.58.121/30
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members vlan-
trust
trust
trust
set interfaces ge-0/0/4 unit 0 family inet filter input zscalerredirect
set interfaces ge-0/0/4 unit 0 family inet address 192.168.1.101/24
trust
trust
trust
set interfaces st0 unit 0 family inet
set interfaces vlan unit 0 family inet address 192.168.1.1/24
set routing-options interface-routes rib-group inet global-rib
set routing-options static route 0.0.0.0/0 next-hop st0.0
set routing-options static route 0.0.0.0/0 next-hop st0.1
set routing-options static route 10.32.32.0/24 next-hop 10.96.13.254
set routing-options static route 98.139.183.0/24 next-hop gr-0/0/0.1
set routing-options rib-groups global-rib import-rib inet.0
set routing-options rib-groups global-rib import-rib traffic_tunnel.inet.0
set protocols stp
set policy-options prefix-list zscalernoredirect 13.13.13.0/24
set policy-options prefix-list zscalerredirect 192.168.0.0/16
set security ike proposal test authentication-method pre-shared-keys
set security ike proposal test dh-group group2
set security ike proposal test authentication-algorithm sha1
set security ike proposal test encryption-algorithm aes-128-cbc
set security ike proposal test lifetime-seconds 86400
set security ike policy ike-policy1 mode aggressive
set security ike policy ike-policy1 proposals test

set security ike policy ike-policy1 pre-shared-key ascii-text
"$9$rYllMXdVYoZj"
set security ike policy test mode aggressive
set security ike policy test proposals test
set security ike policy test pre-shared-key ascii-text "$9$iHfz9Cu1Eyp0"
set security ike gateway ike-gate ike-policy ike-policy1
set security ike gateway ike-gate address 10.10.104.71
set security ike gateway ike-gate dead-peer-detection always-send
set security ike gateway ike-gate dead-peer-detection interval 20
set security ike gateway ike-gate dead-peer-detection threshold 5
set security ike gateway ike-gate nat-keepalive 20
set security ike gateway ike-gate external-interface ge-0/0/0
set security ike gateway ike-gate-secondary ike-policy ike-policy1
set security ike gateway ike-gate-secondary address 10.10.104.235
set security ike gateway ike-gate-secondary dead-peer-detection always-send
set security ike gateway ike-gate-secondary dead-peer-detection interval 20
set security ike gateway ike-gate-secondary dead-peer-detection threshold 5
set security ike gateway ike-gate-secondary nat-keepalive 20
set security ike gateway ike-gate-secondary external-interface ge-0/0/0
set security ipsec vpn-monitor-options interval 30
set security ipsec vpn-monitor-options threshold 4
set security ipsec proposal test protocol esp
set security ipsec proposal test authentication-algorithm hmac-sha1-96
set security ipsec proposal test lifetime-seconds 1800
set security ipsec policy vpn-policy1 proposal-set standard
set security ipsec vpn ike-vpn bind-interface st0.0
set security ipsec vpn ike-vpn df-bit set
set security ipsec vpn ike-vpn vpn-monitor optimized
set security ipsec vpn ike-vpn vpn-monitor source-interface ge-0/0/0
set security ipsec vpn ike-vpn vpn-monitor destination-ip 216.66.5.49
set security ipsec vpn ike-vpn ike gateway ike-gate
set security ipsec vpn ike-vpn ike idle-time 4000
set security ipsec vpn ike-vpn ike ipsec-policy vpn-policy1
set security ipsec vpn ike-vpn establish-tunnels immediately
set security ipsec vpn ike-vpn-secondary bind-interface st0.1
set security ipsec vpn ike-vpn-secondary df-bit set
set security ipsec vpn ike-vpn-secondary vpn-monitor optimized

set security ipsec vpn ike-vpn-secondary vpn-monitor source-interface ge-
0/0/0
set security ipsec vpn ike-vpn-secondary vpn-monitor destination-ip
10.10.104.246
set security ipsec vpn ike-vpn-secondary ike gateway ike-gate-secondary
set security ipsec vpn ike-vpn-secondary ike idle-time 4000
set security ipsec vpn ike-vpn-secondary ike ipsec-policy vpn-policy1
set security ipsec vpn ike-vpn-secondary establish-tunnels immediately
set security flow tcp-mss ipsec-vpn mss 1300
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold
1024
set security screen ids-option untrust-screen tcp syn-flood attack-
threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-
threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-
threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security nat source rule-set nat-out from zone trust
set security nat source rule-set nat-out to zone untrust
set security nat source rule-set nat-out rule interface-nat match source-
address 192.168.0.0/16
set security nat source rule-set nat-out rule interface-nat match
destination-address 0.0.0.0/0
set security nat source rule-set nat-out rule interface-nat then source-nat
interface
set security policies from-zone trust to-zone vpn policy vpn-tr-vpn match
source-address local-net
destination-address remote-net
application any
set security policies from-zone trust to-zone vpn policy vpn-tr-vpn then
permit
set security policies from-zone vpn to-zone trust policy vpn-vpn-tr match
source-address remote-net
destination-address local-net

application any
set security policies from-zone vpn to-zone trust policy vpn-vpn-tr then
permit
set security policies from-zone untrust to-zone trust policy untrust-to-
trust match source-address any
trust match destination-address any
trust match application any
trust then permit
set security policies from-zone trust to-zone untrust policy any-permit
match source-address any
match destination-address any
match application any
then permit
set security zones security-zone trust address-book address local-net
192.168.0.0/16
set security zones security-zone trust host-inbound-traffic system-services
all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces vlan.0
set security zones security-zone trust interfaces ge-0/0/4.0
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust host-inbound-traffic system-
services ike
set security zones security-zone untrust host-inbound-traffic system-
services all
set security zones security-zone untrust interfaces ge-0/0/0.0 host-
inbound-traffic system-services dhcp
inbound-traffic system-services tftp
inbound-traffic system-services all
set security zones security-zone untrust interfaces gr-0/0/0.0
set security zones security-zone untrust interfaces gr-0/0/0.1
set security zones security-zone vpn address-book address remote-net
0.0.0.0/0
set security zones security-zone vpn interfaces st0.0
set security zones security-zone vpn interfaces st0.1

set firewall filter zscalerredirect term zscalernoredirect from
destination-prefix-list zscalernoredirect
set firewall filter zscalerredirect term zscalernoredirect then accept
set firewall filter zscalerredirect term zscalerredirect from source-
prefix-list zscalerredirect
set firewall filter zscalerredirect term zscalerredirect from destination-
port http
set firewall filter zscalerredirect term zscalerredirect from destination-
port https
set firewall filter zscalerredirect term zscalerredirect then routing-
instance traffic_tunnel
set firewall filter zscalerredirect term allow-everything-else from
destination-port 0-65535
set firewall filter zscalerredirect term allow-everything-else then accept
set routing-instances traffic_tunnel instance-type forwarding
set routing-instances traffic_tunnel routing-options static route 0.0.0.0/0
qualified-next-hop gr-0/0/0.0 preference 200
set routing-instances traffic_tunnel routing-options static route 0.0.0.0/0
qualified-next-hop gr-0/0/0.1
set services rpm probe gre test gre-keepalive probe-type http-get
set services rpm probe gre test gre-keepalive target url
http://216.66.5.49/test
set services rpm probe gre test gre-keepalive probe-count 3
set services rpm probe gre test gre-keepalive probe-interval 10
set services rpm probe gre test gre-keepalive test-interval 10
set services rpm probe gre test gre-keepalive routing-instance
traffic_tunnel
set services rpm probe gre test gre-keepalive thresholds successive-loss 3
set services rpm probe gre test gre-keepalive thresholds total-loss 6
set services rpm probe gre_backup test gre-keepalive probe-type http-get
set services rpm probe gre_backup test gre-keepalive target url
http://98.139.183.24/
set services rpm probe gre_backup test gre-keepalive probe-count 3
set services rpm probe gre_backup test gre-keepalive probe-interval 10
set services rpm probe gre_backup test gre-keepalive test-interval 10
set services rpm probe gre_backup test gre-keepalive routing-instance
traffic_tunnel
set services rpm probe gre_backup test gre-keepalive thresholds successive-
loss 3
set services rpm probe gre_backup test gre-keepalive thresholds total-loss
6
set services rpm probe icmp_gre test icmp probe-type icmp-ping

set services rpm probe icmp_gre test icmp target address 172.18.58.122
set services rpm probe icmp_gre test icmp probe-count 5
set services rpm probe icmp_gre test icmp probe-interval 5
set services rpm probe icmp_gre test icmp test-interval 10
set services rpm probe icmp_gre test icmp source-address 172.18.58.121
set services rpm probe icmp_gre test icmp thresholds successive-loss 5
set services rpm probe icmp_gre test icmp thresholds total-loss 5
set services rpm probe icmp_gre_backup test icmp_backup probe-type icmp-
ping
set services rpm probe icmp_gre_backup test icmp_backup target address
172.18.58.126
set services rpm probe icmp_gre_backup test icmp_backup probe-count 5
set services rpm probe icmp_gre_backup test icmp_backup probe-interval 5
set services rpm probe icmp_gre_backup test icmp_backup test-interval 10
set services rpm probe icmp_gre_backup test icmp_backup source-address
172.18.58.125
set services rpm probe icmp_gre_backup test icmp_backup thresholds
successive-loss 5
set services rpm probe icmp_gre_backup test icmp_backup thresholds total-
loss 5
set services rpm probe trial test trial probe-type http-get
set services rpm probe trial test trial target url
http://172.18.58.122/test
set services rpm probe trial test trial probe-count 3
set services rpm probe trial test trial probe-interval 10
set services rpm probe trial test trial test-interval 10
set services rpm probe trial test trial source-address 172.18.58.121
set services rpm probe trial test trial thresholds successive-loss 3
set services rpm probe trial test trial thresholds total-loss 3
set services ip-monitoring policy failover match rpm-probe icmp_gre
set services ip-monitoring policy failover then preferred-route routing-
instances traffic_tunnel route 0.0.0.0/0 next-hop 172.18.58.126
set services ip-monitoring policy failover_backup match rpm-probe
icmp_gre_backup
set services ip-monitoring policy failover_backup then preferred-route
routing-instances traffic_tunnel route 0.0.0.0/0 next-hop 172.18.58.122
set vlans vlan-trust vlan-id 3
set vlans vlan-trust l3-interface vlan.0

GRE Configuration and Interoperability Guide

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

GRE Configuration and Interoperability Guide

Caricato da

Copyright:

Formati disponibili

GRE Configuration and

GRE Configuration and Interoperability Guide, Rev. C

GRE Guide, Rev. C Copyright © 2014 Zscaler -2-

GRE Guide, Rev. C Copyright © 2014 Zscaler -4-

GRE Guide, Rev. C Copyright © 2014 Zscaler -5-

GRE Guide, Rev. C Copyright © 2014 Zscaler -6-

GRE tunnels from the internal router to the ZENs.

GRE Guide, Rev. C Copyright © 2014 Zscaler -7-

GRE tunnels from the border router to the ZENs.

GRE Guide, Rev. C Copyright © 2014 Zscaler -8-

 If supported, enable GRE keepalives on the primary and secondary tunnels.

GRE Guide, Rev. C Copyright © 2014 Zscaler -9-

GRE Guide, Rev. C Copyright © 2014 Zscaler - 10 -

GRE Guide, Rev. C Copyright © 2014 Zscaler - 11 -

GRE Guide, Rev. C Copyright © 2014 Zscaler - 12 -

Configuration Example: Cisco 881

Tunnel Source IP: 192.0.2.2

Primary Destination: 216.66.5.49

Secondary Destination: 199.168.149.179

GRE Guide, Rev. C Copyright © 2014 Zscaler - 13 -

Configure the Cisco 881 Router

GRE Guide, Rev. C Copyright © 2014 Zscaler - 14 -

route-map zscaler-tunnel permit 10

GRE Guide, Rev. C Copyright © 2014 Zscaler - 15 -

GRE Guide, Rev. C Copyright © 2014 Zscaler - 16 -

logging esm config

GRE Guide, Rev. C Copyright © 2014 Zscaler - 17 -

Troubleshooting the Cisco 881 Router Configuration

GRE Guide, Rev. C Copyright © 2014 Zscaler - 18 -

GRE Guide, Rev. C Copyright © 2014 Zscaler - 19 -

View the SLA statistics.

IPSLA operation id: 2

IPSLA operation id: 400

IPSLA operation id: 500

GRE Guide, Rev. C Copyright © 2014 Zscaler - 20 -

GRE Guide, Rev. C Copyright © 2014 Zscaler - 21 -

Tunnel Source IP: 192.0.2.2

Primary Destination: 216.66.5.49

Secondary Destination: 199.168.149.179

To configure the Juniper SRX220:

GRE Guide, Rev. C Copyright © 2014 Zscaler - 22 -

GRE Guide, Rev. C Copyright © 2014 Zscaler - 23 -

GRE Guide, Rev. C Copyright © 2014 Zscaler - 24 -

GRE Guide, Rev. C Copyright © 2014 Zscaler - 25 -

GRE Guide, Rev. C Copyright © 2014 Zscaler - 26 -

GRE Guide, Rev. C Copyright © 2014 Zscaler - 27 -

GRE Guide, Rev. C Copyright © 2014 Zscaler - 28 -

GRE Guide, Rev. C Copyright © 2014 Zscaler - 29 -

root# run ping 172.18.58.126 source 172.18.58.125

Ensure that ip-monitoring is working:

Policy - failover (Status: PASS)

GRE Guide, Rev. C Copyright © 2014 Zscaler - 30 -

Policy - failover_backup (Status: PASS)

root# run show route

inet.0: 11 destinations, 11 routes (11 active, 0 holddown, 0 hidden)

0.0.0.0/0 *[Access-internal/12] 05:34:30

GRE Guide, Rev. C Copyright © 2014 Zscaler - 31 -

traffic_tunnel.inet.0: 9 destinations, 10 routes (9 active, 0 holddown, 0

0.0.0.0/0 *[Static/5] 02:23:05

GRE Guide, Rev. C Copyright © 2014 Zscaler - 32 -

Check the probe status:

Owner: icmp_gre, Test: icmp

Owner: icmp_gre_backup, Test: icmp_backup